An Unprotected ElasticSearch server containing 4 million intern applications exposed online

• A misconfiguration in Elasticsearch servers exposed 4 million intern applications online.
• The exposed applications involved personal information such as email addresses, full names, dates of birth, gender, applicants’ reasons for applying for the internships, and interview details.

An unsecured Elasticsearch server of AIESEC exposed at least 4 million intern applications. AIESEC is the world’s largest youth-run NGO organization having nearly 100,000 members across 127 countries.

The leaky server was uncovered on January 11, 2019, by a security researcher Bob Diachenko of SecurityDiscovery.com.

What was exposed?

Diachenko explained in a blog that the open ElasticSearch database contained 4 million of applications which included personal information such as email addresses, full names, dates of birth, gender, applicants’ reasons for applying for the internships, and interview details.

What was AIESEC's response?

Upon discovery on January 11, Diachenko immediately reported the unprotected ElasticSearch database to AIESEC, which later secured the leaky database.

“We take the security of our customers' information extremely seriously. After looking into this matter, we immediately secured the vulnerability, disabling unauthorized access to the cluster. The data was cached on the node for testing purposes and mistakenly left unsecured. We can confirm that the server now contains no sensitive information,” AIESEC said.

The youth-run organization further said that it is checking its system for further similar vulnerabilities. The NGO has already contacted the data protection authorities and the potentially affected users as per GDPR protocol.

“The vulnerability arose from a misconfiguration that was introduced into the Elasticsearch servers while evaluating certain improvements for the cluster as part of a current infrastructure improvement project we are running. We started work around 20 days ago [prior to Jan 11th, when a notification was sent. – Bob Diachenko’s note], so this is around when the misconfiguration was introduced” a spokesperson for AIESEC said.